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Electricity Belivery and ELECTRIC EMERGENCY INCIDENT AND 
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NOTICE: IMS report is mandatory under Public Law 93-275. Failure to comply may result in criminal fines, civil penalties and other sanctions as provided by 
law. For the sanctions and the provisions concerning the confidentiality of information submitted on this form, see General Information portion of die instructions. 
Title 18 TJSC 1001 makes it a criminal offense for any person knowingly and willingly to make to any Agency' or Department of the United States any false, 
fictitious, or fraudulent statements as to auv matter within its jurisdiction. 


RESPONSE DUE: 

Within 1 hour of the incident, submit Schedule 1 and lines M - Q in Schedule 2 as an Emergency Alert repeat if criteria 1-8 are met. 

Within 6 hours of the incident, submit Schedule 1 and lines M - Q in Schedule 2 as a Normal Report if only criteria 9-12 are met. 

By the later of 24 hours after the recognition of the incident OR by the end of the next business day submit Schedule 1 & lines M - Q in Schedule 2 as a System 
Report if criteria 13-24 are met. Note 4 00pm local time will be considered the end of the business day 

Submit updates as needed and/or a final report (all of Schedules 1 and 2) within 72 hours of the incident. 

For NERC reporting endues registered in the United States; NERC has approved that the form OE-417 meets die submittal requirements for NERC. There may 
be other applicable regional, state and local reporting requirements. 


METHODS OF FILING RESPONSE 
(Retain a completed copy of this form for your files.) 

Online: Submit form via online submission at: httm://www.oe.iietl.doe.flov/OE417/ 

FAX: FAX Form OE-417 to the following facsimile number (202) 586-8485. 

Alternate: If you are unable to submit online or by fax, forms may be e- mailed to doehQeoc@ha.doe.gov . or call and report the information to the 

following telephone number: (202) 586-8100. 


SCHEDULE 1 - ALERT CRITERIA 

,e 1 of 4 


Criteria for Filing ( Check all that apply) 
See Instructions For More Information 


1. [ ] Physical attack that causes major interruptions or impacts to critical infrastructure facilities or to operations 

2. [ X ] Cyber event that causes interruptions of electrical system operations 

3 . [ j Complete operational failure or shut-down of the transmission and/or distribution electrical system 

4. [ J Electrical System Separation (Islanding) where part or parts of a power grid remain(s) operational in an otherwise 

blacked out area or witJiin the partial failure of an integrated electrical system 

5. [ ] Uncontrolled loss of 300 Megawatts or more of firm system loads for 15 minutes or more from a single 

incident 

6. ( J Finn load shedding of 100 Megawatts or more implemented under emergency operational policy 

7. [ J System-wide voltage reductions of 3 percent or more 

8. [ ] Public appeal to reduce the use of electricity for purposes of maintaining the continuity of the Bulk Electric System 


EMERGENCY ALERT 
File wiliuu I-Hour 

If any box 1-8 on the right is 
checked, this form must be 
filed within 1 hour of the 
incident; check Emergency 
Alert (for the Alert Status) on 
Liue A below. 


NORMAL REPORT 
File within 6-Hours 

If any box 9-12 on the right is 
checked AND none of the 
boxes 1-8 are checked, this 
form must be filed within 6 
hours of the incident; check 
Noimal Report (for the Alert 
Status) on Line A below. 


9. ( } Physical attack that could potentially impact electric power system adequacy or reliability; or vandalism which 

targets components of any security systems 

10. ] Cyber event that could potentially impact electric power system adequacy or reliability 

11. [ ] Fo ss °f electric service to more than 50,000 customers for i hour or more 

12. [ ] Fuel supply emergencies that could imp act electric powet system adequacy or reliability 
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SYSTEM REPORT 
File within 1-Business Day 

If any box 13-24 on the right is 
checked AND none of the 
boxes 1-12 are checked, this 
form, mast be filed by the later 
of 24 hours after the 
recognition of the incident OR 
by the end of the next business 
day. Note 4:00pm local time 
will be considered the end of 
the business day. Check 
System Report (for die Alert 
S tatus) on Line A below. 


SCHEDULE 1 - ALERT CRITERIA - CONTINUED 

(Page 2 of 4) 


13. [ ] Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or 

Transmission Operator Area that results in action(s) to avoid a Bulk Electric System Emergency. 

14. [ ] Damage or destruction of its Facility that results from actual or suspected intentional human action. 

15. [ j Physical threat to its Facility excluding weather or natural disaster related threats, which has the potential to 

degrade the normal operation of the Facility. Or suspicious device or activity at its Facility. 

16. [ ] Physical threat to its Bulk Electric System control center, excluding weather or natural disaster related threats, which 

has the potential to degrade the normal operation of the control center. Or suspicious device or activity at its Bulk 
Electric System control center. 

17. [ ] Bulk Electric System Emergency resulting in voltage deviation on a Facility; A voltage deviation equal to or 

greater than 10% of nominal voltage sustained for greater than or equal to 15 continuous minutes. 

18. [ 3 Uncontrolled loss of 200 Megawatts or more of finn system loads for 15 minutes or more from a single incident for 

entities with previous year's peak demand less than or equal to 3,000 Megawatts 

19. [ J Total generation loss, within one minute of: greater than or equal to 2,000 Megawatts in the Eastern or Western 

Interconnection or greater than or equal to 1,400 Megawatts in the ERCOT Interconnection. 

20. [ J Complete loss of off-site power (LOOP) affecting a nuclear generating station per the Nuclear Plant Interface 

Requirements. 

21. [ J Unexpected Tr ansmis sion loss within its area, contrary to design, of three or more Bulk Electric System 

Facilities caused by a common disturbance (excluding successful automatic reclosing). 

22. [ ] Unplanned evacuation from its Bulk Electric System control center facility for 30 continuous minutes or more. 

23. [ J Complete loss of Interpersonal Communication and Alternative Interpersonal Communication capability affecting 

its staffed Bulk Electric System control center for 30 continuous minutes or more. 

24. [ J Complete loss of monitoring or control capability at its staffed Bulk Electric System control center for 30 

continuous minutes or more. 


If significant changes haw occurred after filing the initial report, re-file the form with the changes and check Update (for the Alert Status) on Line A below. 
The form must be re-filed within 72 hours of the incident with the latest information and Final (Alert Status) checked on Line A below, unless updated 



Alert Status (check one) 


B. Organization Name 



Address of Principal Business Office 



Normal Report 

System Repoil 

Update 

[ 1 

[ 1 

[ J 

6 Hours 

1 Business Day 

As required 


2180 South 1300 East Suite 600 SaR Lake City Utah 84106 


Final 
[ ] 
72 Hours 
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SCHEDULE 1 - ALERT NOTICE 

3 of 41 



Geographic Area(s) Affected 
(County. State) 


Date,'1'ime Incident Ended 
(mns-dd-Yv/ hh:mm) using 24-hour clock 


Did the incident/disftnbance originate in your 
system/area? (check one) 


Estimate of Amount of Demand Involved 
(Peak Megawatts) 


Estimate of Number of Customers Affected 


California: Kem County, Los Angeles County; Utah: Sait Lake County; Wyoming: Converse County; 

_£&- (1*1 -201!) i m : 1? [ 

mo dd vy hh ami f 

] Eastern 

1 Pacific 

[ ] Central EX) Mountain 

[ 1 Alaska [ 1 Hawaii 




No [ ] 

Unknown [X ] 

Zero EX] 

Unknown [ ] 

Zero EX] 

Unknown [ ] 


J. Cause 


SCHEDULE 1 - TYPE OF EMERGENCY 

Check all that apply 


• K. Impact 


L. Action Taken 


□ Unknown 

□ Physical attack 

□ Threat of physical attack 

□ Vandalism 

□ Theft 

□ Suspicious activity 

□ Cyber event (information technology) 

82 Cyber event (operational technology) 

□ Fuel supply emergencies, interruption, or 
deficiency 

□ Generator loss or failure not due to fuel supply 
interruption or deficiency or transmission 
failure 

□ Transmission equipment failure (not including 
substation or switchyard) 

□ Failure at high voltage substation or switchyard 

□ Weather or natural disaster 

□ Operator action(s) 

□ Other 

S3 Additional Information/Comments: 

Initial assessment revested that a faewatl exploit was 6kety utilized to 
execute a denial of service altar* that caused the firewals to reboot 
tearing to an approximately 5 minute communications outage 


□ None 

□ Control center loss, failure, or evacuation 

□ Loss or degradation of control center monitoring 
or communication systems 

□ Damage or destruction of a focility 

□ Electrical system separation (islanding) 

□ Complete operational failure or shutdown of the 
transmission and/or distribution system 

□ Major transmission system interruption (three or 
more BES elements) 

□ Major distribution system interruption 

□ Uncontrolled loss of 200 MW or more of firm 
system loads for 15 minutes or more 

□ Loss of electric service to more than 50.000 
customers for 1 hour or more 

□ System-wide voltage reductions or 3 percent or 
more 

□ Voltage deviation on an individual facility of 
>10% for 15 minutes or more 

□ Inadequate electric resources to serve load 

□ Generating capacity loss of 1,400 MW or more 

□ Generating capacity' loss of 2,000 MW or more 

□ Complete loss of off-site power to a nuclear 
generating station 

53 Other 

SI Additional Information/Comments: 

Firewall reboots resuHed in brief common ic3ticns outages 
(approximately 5 minutes) between field devices at sites and between 
the sites and sPoweVs Control Center 


□ None 

□ Shed Firm Load. Load shedding of 100 
MW or more implemented under 
emergency operational policy (manually 
or automatically via UFLS or remedial 
action scheme) 

□ Public appeal to reduce the use of 
electricity for the purpose of maintaining 
the continuity of the electric power 
system 

□ Implemented a wanting, alert, or 
contingency plan 

□ Voltage reduction 

□ Shed Interruptible Load 

□ Repaired or restored 

□ Mitigation implemented 

81 Other 

S3 Additional Information/Comments 

After teaming of the potential cause of the reboot sPower 

started testing and deployment of an update to remove the 

exploited vuherabtHy 
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SCHEDULE 2 ~ NARRATIVE DESCRIPTION 


(Page 4 of 4) 

Information on Schedule 2 will not be disclosed to the public to the extent that it satisfies the criteria for exemption wider the Freedom of Information Act, e.g. 
exemptions for confidential commercial information and trade secrets, certain information that could endanger the physical safety of an individual, or 

Critical Energy Infrastructure Information. 


information designated as 


NAME OF OFFICIAL THAT SHOULD BE CONTACTED FOR FOLLOWUP OR ANY ADDITIONAL INFORMATION 


Lucas Root 


Director, Operations 


com 


R. Narrative: ■ 

Tli'o in tarnation wilt be provided in a subsequent update after additional information gathering 


S. Estimated Restoration Date for all Affected Customers 
Who Can Receive Power 


Pioneer, Beacon 4, ABSR.DSR1, DSR2, Beacon 1, Elevation C, WABSRB, Bayshore A, Bayshore B, Bayshore C, Mid Sofveide. 


T. Name of Assets Impacted 


NERC is an entity that is certified by the Federal Energy Regulatory Commission to establish and enforce reliability 
standards for the bulk power system but that is not part of the FederalGovernment This information would be 
submittedto help fiilfill the respondent's requirements underNERC’s reliability standards. 


If approval is given to alert NERC and/or E-ISAC the Form will be emailed to systemawareness!® nerc.net and/or 
opeiations@eisac.com when it is submitted to DOE. DOE is not responsible for ensuring the receipt of these emails 

by NERC and/or E-ISAC. 


25 Notify NERC j 65 Notify E-KAC 



































